PKI Tutorials - Herong's Tutorial Examples - Version 2.04, by Dr. Herong Yang
IE 10 Supporting Multiple Certificate Paths
This section provides a tutorial example showing IE 10 supports multiple certificate paths for 'login.yahoo.com'.
After deleted the root certificate "VeriSign Class 3 Public Primary Certification Authority - G5", which issued "VeriSign Class 3 Secure Server CA - G3", which issued "*.login.yahoo.com", I want to visit https://login.yahoo.com again with IE 10 to see what will happen.
1. Run IE 10 and go to https://login.yahoo.com and wait for the log in page to be displayed.
2. Click the lock icon at the end of the Web address field. A small pop up windows shows up.
3. Click the "View certificates" link on the pop up window. The Certificate dialog box shows up.
4. Click the "Certificate Path" tab. I am surprised to see that IE 10 validated "login.yahoo.com" certificate with a new certificate path:
VeriSign Class 3 Public Primary Certification Authority (PCA3 G1 SHA1) - The root CA certificate |- VeriSign Class 3 Public Primary Certification Authority - G5 - An intermediate CA certificate |- VeriSign Class 3 Secure Server CA - G3 - An intermediate CA certificate |- *.login.yahoo.com - The Web server certificate
5. Remember the certificate path used by IE 10 before I deleted "VeriSign Class 3 Public Primary Certification Authority - G5" certificate with a display of "VeriSign" from the trust root CA certificate tab. It looked like this:
VeriSign - The root CA certificate |- VeriSign Class 3 Secure Server CA - G3 - The intermediate CA certificate |- *.login.yahoo.com - The Web server certificate
The explanation is that there are two certificates with the same identity name "VeriSign Class 3 Secure Server CA - G3":
IE 10 is smart enough to use a different certificate path to validate "login.yahoo.com" based on which root CA certificate is available.
Last update: 2015.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
►Using HTTPS with IE (Internet Explorer) 10
Visiting "https" Web Site with IE 10
Viewing Server Certificate Details in IE 10
Viewing Server Certificate Path in IE 10
Installing Server Certificate Permanently in IE 10
Viewing Certificates in Certificate Stores in IE 10
Listing of Trusted Root CA in IE 10
Exporting Certificate to File from IE 10
Saving Server Certificate to File with IE 10
Deleting Certificates from IE 10
►IE 10 Supporting Multiple Certificate Paths
IE 10 Reinstalling Root Certificates Automatically
Windows Automatic Root Update Mechanism
Perl Scripts Communicating with HTTPS Servers
PHP Scripts Communicating with HTTPS Servers
Java Programs Communicating with HTTPS Servers
Certificate Stores and Certificate Console
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
PKI CA Administration - Issuing Certificates
Digital Signature - Microsoft Word 2007
Digital Signature - OpenOffice.org 3